CVE-2026-4858
Received Received - Intake
Path Traversal in Mattermost Integration URL

Publication date: 2026-05-21

Last updated on: 2026-05-21

Assigner: Mattermost, Inc.

Description
Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to check integration URL for path traversal which allows an malicious authenticated user to call an arbitrary API via system admin Mattermost auth token using via path traversal in integration action URL.. Mattermost Advisory ID: MMSA-2026-00640
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-21
Last Modified
2026-05-21
Generated
2026-05-21
AI Q&A
2026-05-21
EPSS Evaluated
N/A
NVD
CVE-2026-4858
EUVD
EUVD-2026-31242
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
mattermost mattermost to 11.6.0 (inc)
mattermost mattermost to 11.5.3 (inc)
mattermost mattermost to 11.4.4 (inc)
mattermost mattermost to 10.11.14 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in certain versions of Mattermost (11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14) where the software fails to properly check integration URLs for path traversal.

Because of this, a malicious authenticated user can exploit the path traversal in the integration action URL to call arbitrary APIs using a system admin Mattermost authentication token.


How can this vulnerability impact me? :

This vulnerability can have a severe impact because it allows a malicious authenticated user to perform actions with system admin privileges by exploiting the path traversal flaw.

The attacker can call arbitrary APIs, potentially leading to full compromise of the Mattermost system, including unauthorized access, modification, or deletion of data.

The CVSS base score of 8.0 indicates a high severity, with high impact on confidentiality, integrity, and availability.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, you should update Mattermost to a version later than the affected versions (11.6.0, 11.5.3, 11.4.4, 10.11.14) where the path traversal issue in integration URLs is fixed.

Additionally, monitor the Mattermost Security Updates page for official patches and advisories.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart